There are many clients who are rightly looking at how they can explicitly confirm that existing customers either want to receive marketing emails, general contact, etc. ahead of the GDPR coming into force. This is a nice idea but fraught with potential hazards if they do not consider their approaches to using existing personal data in line with current expressed wishes.

A company may have entered into a Contractual Obligation in selling a product or providing a service to a customer however, that doesn’t mean that going forward they could rely on any ‘Legitimate Interest’ in keeping in touch with their customer for marketing purposes or any contact at all. Consent to be contacted would still be required even to receive emails that were not marketing related although this is unlikely to block contact on the grounds of ‘Vital Interest’ say, when a product needs a recall where a risk to life or the person has been identified.

If you have a marketing database where you are currently relying on Consent alone to email or post marketing or other communications, you need to investigate how consent was obtained originally. Under the GDPR consent must be explicitly and freely given, and the ‘opt-in’ must be exactly that. The prospect has had to put a tick in the box to explicitly say ‘Yes’, not been opted-in because the box was already ticked for them. Also, was the privacy notice in force at the time their personal data was collected, enough to satisfy the GDPR? (Remember, under the GDPR the privacy notice for a bought list of personal data is different to that required for personal data collected directly from the Data Subject). If the basis that consent was given is in line with the requirements of the GDPR then you are unlikely to need to reaffirm consent but going forward, prospects should be given the option to opt-out.

Now, what to do about existing customers?

Hopefully, with your customer list, each customer had been given the opportunity to indicate what their contact preferences were i.e., for marketing, for newsletters, etc. and whether they wanted to receive contact at all by email or any other means.

So, you decide to email every customer on your list to invite them to ‘update their preferences’. Your email has no marketing in it, you are simply making them aware of the GDPR and asking them to revisit their contact choices.

The issue is, if any of your customers had indicated previously that they ‘did not want contact’ from you and, you include them in the invitation to ‘update their preferences’ and your email contains no marketing at all, you would likely breach the law. To quote the ICO’s Head of Enforcement (Information Commissioner’s Office – the UK’s Regulator), “you cannot breach one law to prevent a breach of another”.

In 2017, the ICO found that an airline had deliberately sent some 3.3 million emails to people who had told them they did not want to receive marketing emails from them. The emails, sent in August 2016, with the title ‘Are your details correct?’ advised recipients to amend any out of date information and update any marketing preferences. The email also said that by updating their preferences, people may be entered into a prize draw.

In another case, the ICO found that a motor company had sent 289,790 emails to clarify certain customers’ choices for receiving marketing. The company believed the emails were not classed as marketing but customer service emails to help the company comply with data protection law. The company was unable to provide evidence that the customers had ever given their consent to receive this type of email.

The total of fines across the two companies was £83,000 (These fines were under PECR/DPA, would they be higher under the GDPR? Probably).

Steve Eckersley, ICO Head of Enforcement, said: “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”“In [the airline’s] case, the company deliberately contacted people who had already opted out of emails from them.”

He warned: “Businesses must understand they can’t break one law to get ready for another.”

It is important that companies take advice when trying to ensure consent is in compliance with the GDPR – don’t get caught out.

Privacy Overview

We use cookies (a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing) for the effective functioning of our website and you can read more about cookies within our Privacy Notice.

When you visit a site that uses cookies for the first time, a cookie is downloaded onto your computer/mobile device so that the next time you visit that site, your device will remember useful information such as items added in the shopping cart, visited pages or logging in options. Cookies are widely used in order to make websites work, or to work more efficiently, and our site relies on cookies to optimise user experience and for features and services to function properly.

Most web browsers allow some control to restrict or block cookies through the browser settings, however if you disable cookies you may find this affects your ability to use certain parts of our website or services. For more information about cookies visit About Cookies, an external information resource to this site

We have also issued a Privacy Notice to summarise who we are, what data we might collect, how we will look after that data, and what steps we take to provide data and information security. We process data for no longer than is necessary for the purpose it has been requested or provided for.

Necessary / Functional

User Experience Enhancement

These cookies are not essential for the smooth running of our website however, they do offer to enhance the user experience by allowing the user to make adjustment in such things as how a video is viewed.

Statistical / Analytical

These cookies are used for statistical analysis of the performance of the website such as Google’s Analytics, and most are used by third-parties to monitor your use of their product i.e., YouTube videos on this site, etc.